Payments module can disclose custom admin path location. While not a security exploit in itself, can make it easier to perform password guessing and other attacks.

Product(s) Affected:

Magento CE and EE prior to 2.0.14/2.1.7

Fixed In:

Magento CE and EE 2.0.14/2.1.7

Reporter:

MBarry

APPSEC-1666: Information leak

Type:

Information Leak

CVSSv3 Severity:

4.3 (Medium)

Known Attacks:

None

Description:

Some of the requests returned by AJAX calls in the admin panel contain unnecessary configuration information that might expose sensitive system information.

Product(s) Affected:

Magento CE and EE prior to 2.0.14/2.1.7

Fixed In:

Magento CE and EE 2.0.14/2.1.7

Reporter:

Internal

APPSEC-1659: Vulnerabilities in JavaScript libraries

Type:

Misc Vulnerabilities

CVSSv3 Severity:

0 (None)

Known Attacks:

None

Description:

Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions.